Skip to content

Latest commit

 

History

History
53 lines (32 loc) · 2.63 KB

AT-Policy.md

File metadata and controls

53 lines (32 loc) · 2.63 KB
Raw

Security awareness and training policy

See CIO 2100.1P – GSA IT Security Policy

  • Chapter 3, Policy for Identify Function, which covers:
    • AT-1 policy control
  • Chapter 4, Policy for Protect Function, which covers:
    • AT family implementation controls

The latest version can be found on the GSA IT Security Policies page.

Purpose

Provide the highest quality training in modern security practices, ensure announcements regarding new risks to information systems circulate immediately, and facilitate collaboration across the Service to develop new technologies or methodologies to compensate risk.

Scope

See the Applicability section of the GSA IT Security Policy.

Policy overlay

For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the Technology Transformation Service's (TTS) Common Control Policy.

Procedures

If cloud.gov staff fail to comply with GSA security training requirements, their access to all GSA information systems is terminated. This includes access to cloud.gov systems.

See AT-2, AT-2 (2).

The cloud.gov Program Manager ensures that Cloud Operations staff with significant information system security roles complete role-based security-related training upon being granted access, and subsequent refresher training at least annually.

Whenever a new person joins the Cloud Operations team, the cloud.gov Program Manager assigns the team member a GitHub issue documenting a checklist of required training materials. The same process is applied to each team member annually as if they were a new team member.

Training records for GSA-mandated training are kept for at least one year, cloud-gov specific records are kept for at least five years.

See AT-3, AT-4.

Version history

Complete version history: https://github.com/cloud-gov/cg-compliance-docs/commits/master/AT-Policy.md

  • 2016-10: Initial version for authorization
  • 2017-09: Security policy link updates
  • 2019-12: Update links to GSA security policy
  • 2020-11: Update links to GitHub and GSA policies, split controls by CSF, add version history
  • 2021-11: State retention policy for training records
  • 2024-05: Update links to GSA Security Policy